On Thu, May 31, 2018 at 10:36:27PM -0700, Jonathan Nieder wrote:
>...
> I don't think most users of testing realize that
> they also need to include stable-backports in sources.list to get
> security fixes.
>...
No, this wouldn't get them all security fixes.
It would only make a difference when the package with the security
fix is backported at all *and* the backport is done before the
package migrated to testing.
This might help in some special cases like your package here,
but wouldn't make any difference for packages like chromium or
firefox-esr that never get backported and sometimes don't migrate
to testing for a long time.
As an example, Chromium last migrated to testing in November.
Telling users that including stable-backports to sources.list would
make their testing system secure would just be hiding the problem
that their browser is 3 DSAs and 100 CVEs (sic) behind the version
in stable-security.
testing (and even unstable) often get security fixes after stable,
and we should be honest about the fact that the security-supported
part of Debian is a subset of stable[1] without backports.
cu
Adrian
[1] plus (old)oldstable
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
